> [!abstract] In short: An insider threat comes from someone who already has authorized access: an employee, contractor, or business partner. The danger is that the attack starts inside the trust boundary, which makes it far harder to spot than an outside attempt. ## What it is An insider threat is anyone with legitimate access to company resources who uses that access to cause harm, whether on purpose or by accident. Because the access is authorized, this is an attack from the inside rather than from the outside, and that's exactly what makes it dangerous. ## Types of insider threat > [!danger] Malicious insiders Deliberately seek to cause harm: stealing information, sabotaging systems, or committing fraud for personal gain, revenge, or to benefit another organization. > [!warning] Negligent insiders Don't mean to cause harm but do so through carelessness or lack of awareness, like falling for phishing, vishing, or smishing. > [!info] Compromised insiders An external attacker gets hold of an insider's credentials, usually through social engineering, then acts with that person's legitimate access. ## How it works Insider threats often follow a pattern called the **insider threat kill chain**. 1. **Motivation:** The insider develops a reason to act against the organization: financial pressure, resentment, ideology, or coercion. 2. **Planning:** Using their privileges, they identify valuable assets to exploit. 3. **Preparation:** They gather the tools or information needed, which may mean copying sensitive data or learning how to bypass controls. 4. **Execution:** The malicious action happens: data theft, sabotage, leaking confidential information, and so on. 5. **Concealment:** They cover their tracks to avoid detection. ## Impact - **Financial loss**, by hitting the whole CIA triad. - **Reputational damage**, since news of the incident erodes customer trust and can cost business. - **Legal and regulatory consequences**, especially when leaked data falls under regulations like GDPR. - **Operational disruption**, particularly when sabotage hits critical systems. ## Defenses Insider threats are especially hard to detect, because the person already has legitimate access. The strongest measures limit what any one insider can do and watch for behavior that doesn't fit. - **Principle of least privilege**: each user only gets the permissions they truly need. - **Separation of duties**: no single person controls a full critical process end to end. - **Behavioral monitoring**: watch for unusual signs like large data transfers, off-hours access, or sudden interest in systems they never normally touch. - **Regular access reviews**: revoke permissions when people change roles or leave. > [!tip] You can't keep an insider out, they're already in. So the game shifts from "block access" to "limit and observe." A healthy security culture matters here too: people who feel valued and informed are less likely to turn malicious, and more likely to report something that looks off.